What E-Mail Hackers Know That You Dont

8/3/2019 What E-Mail Hackers Know That You Dont

1/7

White Paper

What E-Mail Hackers Know that You DontThis document outlines how hackers are exploiting vulnerabilities in e-mail systems, and describes the widelyavailable hacking tools they use. As a collection of already published risks to e-mail security, this white paperis written to educate IT security managers on the challenges they face.

E-Mail Security ChallengesE-mail systems such as Microsoft Exchange, LotusNotes and GroupWise were constructed with a singlepurpose in mind: accept and send the maximumamount of mail, and route that mail as efficiently aspossible. Without question this has succeeded; e-mailis the most commonly utilized business communicationtool on the planet, and its use is projected to continueto rise. In fact, the current volume of e-mail sentworldwide is now more than 50 billion messages perday, with that number expected to double by 2008.

E-mails continually burgeoning popularity makes it anincreasingly attractive target for individuals seeking todo harm, either for their own misguided personalsatisfaction, or more likely, for financial gain. The first e-mail hackers found simple vulnerabilities in theoperating systems and protocol stacks of e-mailsystems, and exploited these known weaknesses.Now, however, hackers and virus writers have becomespecialists, constantly developing new and innovativemethods of overcoming the improvements made intodays security systems. The game of cat-and-mouseis unlikely to end any time soon, if ever. With everyimprovement in defensive techniques, hackers andvirus writers modify their tactics in an attempt tocircumvent these defenses and wreak havoc oncorporate networks.

Vulnerabilities of E-Mail Systems

Along with the many conveniences and efficienciesthat e-mail use brings to an organization, there aresome inherent risks and vulnerabilities:

TCP & UDP Communications Protocols

Internet communications protocols were designed toenable seamless communication among multiplemachines. As a result hackers seek to exploit the opennature of these protocols to attack organizations. The

TCP/IP protocol was designed before there was muchexperience with the wide-scale hacking that is seentoday and as a result, there are a number of generalsecurity flaws.

The first level of attack involves discovering serviceswhich exist on the target network. This involves anumber of possible techniques to gather data on theremote network, including:

Ping Sweeps Pings a range of IPaddresses to find which machines are active.Sophisticated scanners will use otherprotocols (such as an SNMP sweep) to do thesame thing.

TCP Scans Probes for open (listening) TCPports, searching for services the intruder canexploit. Scans can use normal TCPconnections or stealth scans that use half-open connections (to prevent them from beinglogged) or FIN scans (never opens a port, buttests if someone's listening).

UDP Scans Sends a garbage UDP packetto the desired port. Most machines willrespond with an ICMP "destination portunreachable" message, indicating that noservice is listening at that port. These scansare a little bit more difficult because UDP is aconnectionless protocol.

OS Identification Identifies the operatingsystem and applications by sending TCPpackets. Each operating system's uniqueresponses to inputs forms a signature thathackers can use to figure out what the target

machine is and what may be running on it.

Hackers are free to forge and change IP data with impunity

There are a range of attacks that take advantage of theability to forge (or spoof') an IP address. While asource address is sent along with every IP packet, thissource address isn't actually used for routing to thedestination. As such, the attacker can forge a source IPaddress, allowing the attacker to exploit the remoteserver while pretending to be someone else.

IP spoofing is used frequently as part of other attackssuch as SMURFing, in which the source address of abroadcast ping is forged so that a huge number of

machines that are pinged respond back to the victimindicated by the address, overloading it (or its link).

LDAP/Active Directory accessibility

Many organizations have inbound e-mail gatewayswhich are tied to LDAP or other types of directories tovalidate the legitimacy of the inbound e-mail recipients.If the inbound e-mail address is valid, the e-mail isforwarded on to the addressee. However, if the e-mailaddress is non-existent, a response is dispatched to


2/7

the sender notifying them of the invalid e-mail address.Hackers exploit this inherent politeness of the e-mailsystems to gain access to valid addresses. They thenunleash Directory Harvest Attacks (DHA), whereby aprogram guesses at possible e-mail addresses within adomain and attempts to send a message to thatdomain. In a situation such as this, the e-mail gatewayrejects those addresses that are invalid. By process ofelimination, addresses that are not rejected aredeemed valid by the hacker, spammer, or virus writerand added to their database of legitimate addresses.

Servers can be instructed not to reject bad addresses;however, this can result in a never-ending increase inmail volume which must be processed by theorganization.

Social engineering

Unfortunately, the trusting nature of most peoplemakes them vulnerable to social engineering from a

hacker. In these attacks, a hacker may use a tool assimple as an Internet search to find legitimate e-mailaddresses within an organization. The hacker will thensend an e-mail to the known valid address in order toelicit a response. If a response is received, the hackerwill examine the headers in order to determine the pathfollowed by valid mail within the organization.Additionally, this information can be used to set upattacks at the machine level, or over the phone usingmore social engineering techniques, to gleanlogin/password information.

Misguided belief in the firewall as adequate protection

A common misunderstanding is that firewalls recognizee-mail-borne attacks and block them.

Firewalls simply control network-based connectivityand usually perform no scrutiny upon traffic comingthrough on the standard e-mail port (port 25) throughthem. The firewall administrator adds rules that allowspecific types of network level traffic to go through thefirewall. For example, a typical corporate firewall allowsmail traffic to pass through unimpeded, thus the firewallassumes that any traffic being passed on port 25 isindeed e-mail. This assumption is extremely faulty asan attacker may also use port 25 to deliver an attack,thus bypassing any protection the firewall might

provide.

How Hackers AttackMultiple different mail servers are used in todaysenterprises; chosen for performance, price, namerecognition or any of a number of other reasons,servers such as Lotus Notes and Microsoft Exchangedominate the corporate e-mail landscape. Once acompany has chosen a mail server, it is essentiallybeholden to that brand, as the primary server platforms

are not interoperable. Each different mail server has itsown set of known vulnerabilities, giving resourcefulhackers ample opportunity to search for weaknesses.Once these weaknesses are identified, a single hackercan take down an entire rack of mail servers in theblink of an eye.. The following sections outline some ofthe vulnerabilities widely known within hacking circlesand explain how hackers are able to take advantage ofthese security holes.

IMAP & POP Vulnerabilities

Hackers have found a number of issues in both IMAP& POP servers that are exploited. Items such asdictionary attacks can expose sensitive e-mail which isstored on an IMAP or POP server. There are countlesstools available for performing these attacks and thegraphical nature of many of these tools make it simplefor even a novice to perform these attacks. Additionally,weak passwords are common vulnerabilities in theseprotocols. Many organizations do not have adequate

controls for password strength, thus end users will usepasswords which can easily be broken. Lastly, theremay be concerns about defects or bugs in variousIMAP and POP services which can leave themsusceptible to other types of exploits such as bufferoverflows.

Denial-of-Service (DoS) Attacks

Ping of death Sends an invalid fragment, whichstarts before the end of packet, but extends pastthe end of the packet.

Syn Flood Sends TCP SYN packet (whichstarts connections) very rapidly, leaving the

attacked machine waiting to complete a hugenumber of connections, and causing it to run out ofresources and start dropping legitimateconnections. A new defense against this is SYNcookies. Each side of a connection has its ownsequence number. In response to a SYN, theattacked machine creates a special sequencenumber that is a cookie of the connection, thenforgets everything it knows about the connection.It can then recreate the forgotten information aboutthe connection when the next packets come infrom a legitimate connection.

Loop Sends a forged SYN packet with identical

source/destination address/port so that the systemgoes into an infinite loop trying to complete theTCP connection.

System Configuration Holes

Weaknesses in enterprise system configuration can beclassified as follows:

Default configurations Most systems areshipped to customers with default, easy-to-use

www.ciphertrust.com -2- Copyright 2005, CipherTrust, Inc. All Rights Reserved


3/7

configurations. Unfortunately, easy-to-use canmean easy-to-break-into as well. Almost anyUNIX or WinNT machine shipped can be exploitedrather easily.

Empty/Default root passwords A surprisingnumber of machines are configured with empty or

default root/administrator passwords. One of thefirst things an intruder will do on a network is toscan all machines for empty passwords.

Hole creation Virtually all programs can beconfigured to run in a non-secure mode which canleave unnecessary holes on the system.Additionally, sometimes administrators willinadvertently open a hole on a machine. Mostadministration guides will suggest thatadministrators turn off everything that doesn'tabsolutely need to run on a machine in order toavoid accidental holes. Unfortunately this is easiersaid than done, since many administrators arent

familiar with disabling many common services.

To execute a Denial-of-Service (DOS) attack, ahacker uses Trojans to take control over apotentially unlimited number of zombie computers,which then take aim at a single target and flood itwith traffic in an attempt to overwhelm the server.

Exploiting Software Issues

Software bugs can be exploited in the serverdaemons, the client applications, the operating system,and the network stack. Software bugs can be classifiedin the following manner:

Buffer Overflows Almost all the security holesyou read about in the press are due to thisproblem. A typical example is a programmer whowill set aside a specific number of characters tohold a login username. Hackers will look for thesetypes of vulnerabilities, often sending longer

strings than specified, including code that will beexecuted by the server. Hackers find these bugs inseveral ways. First, the source code for a lot ofservices is available on the net. Hackers routinelylook through this code searching for programs thathave buffer limitations. Hackers will also examineevery place the program accepts input and try tooverflow it with random data. If the programcrashes, there is a good chance that carefullyconstructed input will allow the hacker to breakinto the system.

Unexpected Combinations Programs usually areconstructed using many layers of code, including

the underlying operating system as the bottom-most layer. Intruders can often send input that ismeaningless to one layer, but meaningful toanother when constructed properly.

Unhandled Input Most programs are written tohandle valid input. Most programmers do notconsider what happens when somebody entersinput that doesn't match the specification.

Exploiting the Human Factor

Education of e-mail users by organizations regardinghow hackers seek to exploit them has improved to thepoint that a large majority of e-mail users now have at

least a rudimentary understanding of fundamentalsecurity. The basic message regarding not openingcertain malicious attachment types, particularly .exefiles, from unknown senders is widely known. Thismeans the hackers are being forced to redouble theirefforts in order to counteract the education that e-mailusers are receiving.

Examples of hackers using sophisticated means to getusers to open e-mail attachments include the following:

Double Extension The Netsky, lovegate, andKlez viruses took advantage of this vulnerability.Malicious files are given double extension such asfilename.txt.exe to trick the user into running the

executable. NetSky actually would place 100spaces between the extensions so the victimwould not see the second extension. NetSkywould also put the DOS command COM at theend of a string that appeared to be a Web addressending in .COM.

Password-Protected Zip File Virus writersencrypt the virus in a password protected zip andsend the file to users with the password in the



4/7

message body. Since the encrypted file skips virusscanning, the end user gets what they think islegitimate e-mail. Unfortunately, in most cases thismessage has a look of urgency and theunsuspecting user will many times go the extramile to open the malicious attachment.

Plain Trickery Hackers harvest e-mailaddresses from LDAP servers and spoofing thefrom field with names the victim would recognizeso they open the e-mail and attachments, and bytrying to trick the victim into accessing a Web site.Common tactics include sending e-mails withheadings with re: or Re: re: re: included tomake the victim believe it is a chain e-mail.Another common header tactic is includingtechnical terms that make the victim believe that e-mail system error was encountered; MyDoomused this tactic effectively. The Bagle worm woulduse icons of text file, folders, and Excel files forexecutables in hopes a user would not check thefilename closely. The Sober.D worm tried to foolthe user into believing that it was a patch deliveredfrom Microsoft for the MyDoom worm. Again, thismessage contained a malicious attachment whichpreyed upon the users belief that the messagewas sent by a legitimate source.

Self-Propagation: The New Mission of AttacksHackers are becoming increasingly sophisticated andare no longer content with simply gaining access tonetworks to cause mischief and disrupt service.Whereas hackers first spread viruses throughindividual networks simply because they could, wenow are seeing more and more attacks that involve theuse of Trojans designed to spread a virus to as manycomputers as possible, with the intent of taking controlof these machines for nefarious purposes.

Trojans

Trojans enter the victims computer undetected, usuallydisguised as a legitimate e-mail attachment. Once theTrojan is opened by the unsuspecting recipient, theattacker is granted unrestricted access to the datastored on the computer. Trojans can either be hiddenprograms running on a computer, or hidden within alegitimate program, meaning a program that the user

trusts will have functions they are not aware of. Thefollowing chart outlines some of the most popular typesof Trojans used by hackers:

Type PurposeRemote Access Designed to give hacker access to

the victims machine. Traditionally,Trojans would listen for a connectionon a port that had to be available tothe hacker. Now Trojans will call outto hackers giving access to the

hacker to machines that are behinda firewall. Some Trojans cancommunicate through IRCcommands, meaning a real TCP/IPconnection is never made.

Data Sending Sends information back to thehacker. Tactics include key logging,searching for password files andother private information.

Destructive Destroys and deletes files.

Denial-of-Service Gives a remote hacker the power tostart Distributed DoS (DDoS) attacksusing multiple Zombie computers.

Proxy Designed to turn the victimscomputer into a proxy serveravailable to the hacker. Used foranonymous TelNet, ICQ, IRC, etc. tomake purchases with stolen creditcards, etc. Gives the hackercomplete anonymity as trail leadsback to infected computer.

Spreading Viruses via Trojans

Hybrid attacks that combine the use of Trojans andtraditional viruses have become increasingly popular.An example of this is the notorious Nimba virus thatused multiple methods to spread itself and managed toget past anti-virus software by using a behavior nottypically associated with viruses. Nimda exploited aflaw in the MIME header and managed to infect 8.3million computers worldwide.

The increased sophistication of attacks is evidenced byviruses containing their own SMTP engines (MyDoom,Bagle.G, NetSky). By using its own SMTP engine, avirus can avoid the use of MAPI, which allows it toisolate itself from any e-mail client configuration issuesand integrated virus scanner(s) that may be present.

Typical Hacking Scenario

While not all hacker attacks are alike, the followingsteps outline what could be referred to as a typicalattack scenario. Keep in mind that an attack on yourenterprise may look completely different from the oneoutlined below, as the methods used in attacks areconstantly changing to adapt to improved securitytechniques.



5/7

Step 1: Outside Reconnaissance

The intruders will attempt to find out as muchinformation as possible without actually exposingthemselves. They will do this by finding publicinformation or appearing as a normal user. In thisstage, you really can't detect them. The intruders willdo a 'whois' lookup to find as much information aspossible about your network as registered along withyour Domain Name. The intruders might walk throughyour DNS tables (using 'nslookup', 'dig', or other utilitiesto do domain transfers) to find the names of yourmachines. The intruders will browse other publicinformation, such as your public Web sites andanonymous FTP sites. The intruders might searchnews articles and press releases about your company.

Additionally, many attackers will resort to socialengineering steps in an effort to perform their outsidereconnaissance. For example, an attacker might callan employee on the phone posing as a member of the

Information Technology department. The attackermight then request personal information from thevulnerable employee such as username or passwordinformation. Unfortunately many unsuspectingemployees when presented with a supposed authorityfigure will give any information at their disposal, thusputting the organization at significant risk.

Step 2: Inside Reconnaissance

Here, intruders use more technically invasivetechniques to scan for information, but still don't doanything physically harmful. They might do a pingsweep in order to see which machines are active. Theymight do a UDP/TCP scan on target machines in order

to see what services are available. They'll run utilitieslike rcpinfo, showmount or snmpwalk in order tosee what information is available. Hackers also willsend e-mail to invalid users to receive error responseso that they can determine information such as howmany hops are involved in the mail system, where inthe infrastructure the company does recipient checkingon inbound e-mails, and other information that can begleaned from the data captured in e-mail headers. Atthis point, the intruders have engaged only in normalactivity on the network and have not done anythingthat can be classified as an intrusion.

Step 3: ExploitAt this point, the intruders cross the line and startexploiting possible holes in the target machines. Theintruders might attempt to exploit well-known bufferoverflow holes by sending large amounts of data, ormay start checking for login accounts with easilyguessable (or empty) passwords. The hackers may gothrough several stages of exploits. For example, if thehackers were able to access a user account, they will

now attempt further exploits in order to get root/adminaccess.

Step 4: Foot Hold

At this stage, the hackers have successfully gained afoot hold into your network by hacking into a machine.The intruders main goal is to hide evidence of theattacks (doctoring the audit trail and log files) andmake sure they can get back in again. They may installtoolkits that give them access, replace existingservices with their own Trojan horses that havebackdoor passwords, or create their own useraccounts. System Integrity Verifiers (SIVs) can oftendetect an intruder at this point by noting the changedsystem files. The hackers will then use the system as astepping stone to other systems, since most networkshave fewer defenses from inside attacks.

Step 5: Profit

This is where it can get really ugly for an enterprise.

The intruders now can take advantage of their status tosteal confidential data, misuse system resources (i.e.stage attacks at other sites from your site), or defaceWeb pages, often receiving monetary rewards frombehind-the-scenes benefactors.

Another scenario starts differently. Rather than attack aspecific site, intruders might simply scan randomInternet addresses looking for a specific hole. Forexample, intruders may attempt to scan the entireInternet for machines that have the SendMail DEBUGhole. They simply exploit such machines that they find.They don't target you directly, and they really won'teven know who you are. (This is known as a birthdayattack; given a list of well-known security holes and alist of IP addresses, there is a good chance that thereexists some machine somewhere that has one ofthose holes).

The Hackers ToolkitThe following tools make up the standard toolkit foran intruder:

Tool Purpose

Crack/NTcrack/L0pht

Crack

Crack network passwords usingdictionaries or brute force.These packages also containutilities for dumping passwordsout of databases and sniffingthem off the wire.

Exploit PacksA set of one or more programsthat know how to exploit holeson systems (usually designed tobe used once the targeted useris logged on).



6/7

Tool Purpose

NATBased on the SAMBA code,NAT is useful for discoveringNetBIOS/SMB information fromWindows and SAMBA servers.

NetcatCharacterized as a TCP/IPSwiss Army Knife, netcat

allows intruders to scriptprotocol interactions, especiallytext-based protocols.

Ping SweepersFor pinging large numbersof machines to determinewhich ones are active.

Remote Security

Auditors

Programs such as SATAN thatlook for a number of well knownholes in machines all across thenetwork.

ScannersPrograms like SATAN, ISS orCyberCop Scanner that probethe system for vulnerabilities.These tools check for a huge

number of vulnerabilities andare generally automated, givingthe hacker the highest return forminimal effort.

Sniffing UtilitiesFor watching raw networktraffic, such as Gobbler,tcpdump, or even a NetworkAssociates Sniffer NetworkAnalyzer.

TCP and UDP Port

Scanners

For scanning/strobing/probingwhich TCP ports are available.TCP port scanners can also runin a number of stealth modes toevade loggers.

War Dialers

Look for dial-in ports by dialing

multiple phone numbers.

Protect Your EnterpriseAs businesses place increasing reliance on e-mailsystems, they must address the growing securityconcerns from both e-mail borne attacks and attacksagainst vulnerable e-mail systems. When enterprise e-mail systems are left exposed by insecure devices,hackers can enter the organization and compromisethe companys corporate backbone, renderinginvestments in information technology security useless.The implications from a security breach can impact the

companys reputation, intellectual property and abilityto comply with government regulations. The only wayfor organizations to fortify their e-mail systems is to usea comprehensive e-mail security gateway to lock downthe e-mail systems. This approach includes:

1. Locking down the e-mail system at theperimeter Perimeter control for the e-mailsystems starts with deploying an e-mailgateway. The e-mail gateway should be

purpose-built with a hardened operatingsystem, and intrusion detection capabilities toprevent the gateway from beingcompromised.

2. Securing access from outside systems The e-mail security gateway must be

responsible for handling traffic from allexternal systems, and must ensure that trafficpassed through is legitimate. By securingaccess from outside, applications like Webmail are prevented from being used to gainaccess to internal systems.

3. Real-time monitoring of e-mail traffic Real-time monitoring of e-mail traffic is criticalto preventing hackers from utilizing e-mail togain access to internal systems. Detection ofattacks and exploits in e-mail, such asmalformed MIME, requires continuousmonitoring of all e-mail.

An e-mail security gateway should provide thefollowing benefits:

Simplify Administrator Work

Rather than having multiple appliances from differentvendors provide piecemeal protection for differentareas of your e-mail network, the e-mail securitysolution that protects your enterprise should becapable of protecting the entire e-mail system on itsown. Comprehensive security must be purpose-builtinto the e-mail security appliance, not added as anafterthought.

Easy Integration

Integrating an intrusion detection/prevention systemcan be complicated, depending on your requirements.However, these systems must not complicate anetwork, and they should not require the administratorto spend additional time managing them.

Easy Configuration

Many intrusion detection systems are difficult tonavigate and configure. A purpose-built e-mail securitysystem containing intrusion detection and preventionshould be easy to configure and manage, with settingsbased on established best practices based on your

particular type of business.

About CipherTrustCipherTrust, Inc., the global market leader inmessaging security, provides innovative solutions tostop inbound e-mail threats such as spam, viruses,intrusions, spyware, phishing, and protects againstoutbound policy and compliance violations.Recognized by IDC as the market leader, CipherTrust



7/7

protects 1800 organizations in more than 40 countriesworldwide, and is backed by top-tier investors includingBattery Ventures and Greylock Partners. To learn moreabout CipherTrust and how we can protect yourenterprise e-mail network, visit www.ciphertrust.com orcall 1-877-448-8625.


Documents

What E-Mail Hackers Know That You Dont